Arbitrary Code Execution through Improper Handling of Batch Files
CVE-2024-36138

8.1HIGH

Key Information:

Vendor

Nodejs

Status
Node
Vendor
CVE Published:
7 September 2024

Badges

đź“° News Worthy

What is CVE-2024-36138?

This vulnerability arises from an incomplete fix related to the improper handling of batch files with various extensions on Windows. By exploiting the child_process.spawn or child_process.spawnSync functions, a malicious actor can inject arbitrary commands through crafted command line arguments, leading to potential code execution without requiring the shell option to be enabled. This vulnerability highlights the need for robust scrutiny in command processing, especially given its implications for security in applications running on affected versions of Node.js.

Affected Version(s)

node 18.20.3

node 20.15.0

node 22.4.0

News Articles

favicon imageecmascript.uk

Node.js — Monday, July 8, 2024 Security Releases

Node.js® is a JavaScript runtime built on Chrome's V8 JavaScript engine.

favicon imageNode.js

Node.js — Monday, July 8, 2024 Security Releases

Node.js® is a JavaScript runtime built on Chrome's V8 JavaScript engine.

References

https://nodejs.org/en/blog/vulnerability/july-2024-securi...

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • đź“°

    First article discovered by Node.js

  • Vulnerability Reserved

.